Description:
------------
PHP5 for apache 1.3.33 built as DSO allows php_admin_value (php_admin_flag) options marked as PHP_INI_SYSTEM to be reset in .htaccess files by using php_value (php_flag). safe_mode for example.
To demonstrate the problem in php.ini set safe_mode = Off, in httpd.conf, set:
php_admin_value safe_mode on
Get phpinfo to verify that safe_mode is on.
Now create .htaccess file in document_root containing:
php_flag safe_mode off
(or even php_flag safe_mode on)
Get phpinfo again and note that safe_mode was reset to off (php.ini initial value)